portaudit wishlist

[Oliver Eikemeier]

Ok, things that I think would be really useful (incomplete list):

- csh-style braces. When this is not the right syntax, this could be 
done with
   <optional>ja-</optional>bugzilla
or
   <alternate><choice>ja-</choice><choice>kr-</choice></alternate>cups

but we have many slave ports which just differ in prefixes/suffixes, and 
it would be easy to expand them when reading the file.

Yes, portaudit does linear searches. Besides, this will greatly diminish 
the size of the database.

I'm even willing to sacrifice glob patterns `*' and `?' for that, 
although they can be quite convenient sometimes.

- 1.* notation as the `smallest 1.x version possible'. 1.a is not the 
smallest, besides it is not completely transparent why .a is chosen in 
the range. When the `*' is the problem, this could be easily changed to 
a random character, or even a <ger></ger> (greater equal range) tag (ok, 
the name is silly), but I want to have some standard way like >= 1.* < 
2.* to match all 1.x and nothing else. No, I don't think >= 1.a < 2.a is 
good here.

- make `discovery' optional. It's a nice-to-have, but sometimes hard to 
find out, and dummy entries like entry = discovery do not help anyone. 
(ok, superseeded by another thread).

- make `description' optional. It is in the way of `quick' entries which 
should be researched later. Of course it is acceptable to fill it with a 
dummy value, but in this case it shouldn't be present IMHO and the dummy 
value should be provided by the rendering code. Or will an empty tag do?

- make a `severity' field available. Of course it might be inaccurate, 
and software might want to ignore it and provide it's own data. Yet it 
is useful when you only have time for a quick glance (notify me 
immediately of severe vulnerabilities, all others should only appear in 
fridays report). It is a valuable guidance for the users, although I'm 
aware it is very error-prone.

- add a classification into remote/local exploitable

- add a `fixed' field that lists a version where the vulnerability is 
fixed. This could be used for a recommendation message, like "upgrade to 
version xxx" or "no upgrade is available, please deinstall the port or 
proceed with caution".
This could also realized as an alternate <lt> tag.

- Also we should add tags for the most popular references. Speaking of 
references, I would prefer something like <bid num="10499">CVS Multiple 
Vulnerabilities</bid>, which means they canbe rendered with a meaningful 
line (but most not, so <bid num="10499"/> is legal too).

Ok, too many threads now. I have too look into this a little closer.
-Oliver